From 32f8d22decd153feb494789af7df0c8d44909162 Mon Sep 17 00:00:00 2001
From: Quentin Gliech <quenting@element.io>
Date: Wed, 23 Jul 2025 19:36:54 +0200
Subject: [PATCH] Include the issuer URLs in the error message when they don't
 match

---
 crates/oauth2-types/src/oidc.rs | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/crates/oauth2-types/src/oidc.rs b/crates/oauth2-types/src/oidc.rs
index 25518ab75..a9befbea1 100644
--- a/crates/oauth2-types/src/oidc.rs
+++ b/crates/oauth2-types/src/oidc.rs
@@ -647,7 +647,10 @@ impl ProviderMetadata {
         let metadata = self.insecure_verify_metadata()?;
 
         if metadata.issuer() != issuer {
-            return Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch);
+            return Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch {
+                expected: issuer.to_owned(),
+                actual: metadata.issuer().to_owned(),
+            });
         }
 
         validate_url(
@@ -1064,8 +1067,13 @@ pub enum ProviderMetadataVerificationError {
     UrlWithFragment(&'static str, Url),
 
     /// The issuer URL doesn't match the one that was discovered.
-    #[error("issuer URLs don't match")]
-    IssuerUrlsDontMatch,
+    #[error("issuer URLs don't match: expected {expected:?}, got {actual:?}")]
+    IssuerUrlsDontMatch {
+        /// The expected issuer URL.
+        expected: String,
+        /// The issuer URL that was discovered.
+        actual: String,
+    },
 
     /// `openid` is missing from the supported scopes.
     #[error("missing openid scope")]
@@ -1314,7 +1322,7 @@ mod tests {
         metadata.issuer = Some("https://example.com/".to_owned());
         assert_matches!(
             metadata.clone().validate(&issuer),
-            Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch)
+            Err(ProviderMetadataVerificationError::IssuerUrlsDontMatch { .. })
         );
 
         // Err - Not https